BlackBerry Enterprise Server Express Manages Mobile Fleet

By Andrew Garcia  |  Posted 2010-03-29

BlackBerry Enterprise Server Express Manages Mobile Fleet

Research In Motion's BESX (BlackBerry Enterprise Server Express) breaks new ground with enterprise-grade mobile device management, extending centralized security, configuration and application controls to any BlackBerry device, regardless of service type, without any licensing costs for server software or client licenses.

Companies can use BESX for some of the most critical application and policy management plus security controls to help bring the entire mobile device fleet into compliance with the various regulations affecting the business.

Two types of customers stand to gain the most. The first are small businesses that are hosting their own e-mail environments and are already standardized on BlackBerry handhelds but that could not otherwise afford RIM's higher-end management products (or those using RIM's old Professional Software). These companies can now bring their corporately owned but unmanaged devices under management.

The second type encompasses larger businesses that are already running BES (BlackBerry Enterprise Server) for corporately owned assets. They can use BESX to extend mobile device services and usage policies to users bringing in personally owned BlackBerry devices without incurring the additional client licensing costs it would take to add those users to BES.

BESX is free: There is no charge for either the server-side software or the client licenses. This allows companies to focus on getting the server hardware configuration best suited to handle the expected number of devices to be supported. BESX is available for download now at

BESX only extends support to a subset of customers that could use BES, as the new software only works in conjunction with Microsoft Exchange Server, supporting Exchange 2003, 2007 and 2010. Smaller companies will also find they can use BESX with the Exchange implementation that comes with Windows Small Business Server 2003 or 2008. I performed my tests in conjunction with an SBS 2008 Standard environment.

Companies that need to support more than 75 BlackBerry devices should opt to install BESX on their own Windows Server. I tested with BESX installed on a separate Windows Server 2008 Service Pack 2-based server (Windows Server 2003 SP2 and R2 are also supported) virtual machine, outfitted with 2 processors and 2GB of RAM-which RIM states should be sufficient to support up to 2,000 devices.

However, companies looking to manage fewer than 75 devices can install the core BESX software directly on the Exchange server, provided it is outfitted with an additional 1.5GB of RAM, which means that customers won't even need to spring for Windows Server licenses to get going.

RIM's documentation states that BES and BESX cannot coexist in the same BlackBerry domain, so any companies looking to maintain them side by side should make sure that BESX does not use the same database as a currently deployed BES implementation.

BESX works with BlackBerry devices provisioned by the mobile operator for either BIS (BlackBerry Internet Service) or BES data plans. Indeed, in my tests, my BIS-enabled T-Mobile BlackBerry Bold 9700 test unit did activate correctly with BESX, accepting the appropriate service books from BESX in addition to those provided by the operator. This allows employees to gain the benefits of BlackBerry's back-end services, without necessitating the extra fees that operators commonly charge for enterprise BlackBerry services (for example, T-Mobile charges an additional $5 per month for a BES data plan).

Unfortunately, RIM doesn't control carrier pricing, so there is no guarantee that the mobile operators won't change their pricing terms down the road to require additional fees for use with a BESX deployment.

Familiar Architecture and Management


Familiar Architecture and Management

Anyone who has experience with BES 5.0 will be instantly familiar with both the architecture and the day-to-day management of BESX. For management, BESX employs a carbon copy of BES 5.0's Web-based BAS (BlackBerry Administration Service). BESX also includes the BlackBerry Attachment Service (which converts supported attachments for viewing on devices), the BlackBerry MDS Connection Service (which facilitates access to online content and applications) and the BlackBerry Router. I installed each of these units on a single server, but the components can be split out to multiple servers for additional performance.

BESX does lack BES 5.0's high-availability clustering capabilities, and it doesn't integrate with the BlackBerry Mobile Voice System or Microsoft Office Communicator. And, by my count, BESX offers only 38 IT control policies (along with 26 application control policies) to govern attached devices, compared with the over 450 policies available through BES.

Using BESX, I was able to easily create an IT policy that required a device password with an enforced complexity policy, disabled MMS (Multimedia Messaging Service) while keeping SMS (Short Message Service) enabled, disabled the device video camera while permitting still photos and required on-device encryption. As with BES 5.0, with BESX I could set up a WiFi policy that specifies network name, wireless security type and a preshared key (or certificates if needed), but those are set up and enforced via a separate policy.

A full list of BESX control policies can be found online in the Policy Reference Guide.

BESX also can be used to deploy and configure Java applications for BlackBerry devices in the field. Administrators can publish applications to a share on a protected network and add it to the BAS application repository, then create an application control policy to dictate the network connections, device features and APIs to which an application has access on the device. Administrators can also centrally permit or deny users the ability to add untrusted applications on their own and can define a policy to govern application control for those applications in bulk.

IT and application control policies (and application distribution policies) can be applied directly to individual user accounts or to groups of users defined within BESX. This allows an administrator to craft different policies depending on the user's role within the company or other factors. As with BES 5.0, BESX pings the Windows Active Directory daily to automatically pull a list of users that can be added by an administrator to the BlackBerry domain, but BlackBerry groups must be created within BAS (not using existing Active Directory structures.)

Again like BES 5.0, BESX comes with predefined administrative groups with differing levels of access, oversight and control over the BESX system. In tests, this allowed me to easily grant a different level of control to front-line help desk workers than I would to data center engineers. And I could either use existing Active Directory credentials to log on to BAS, or I could create distinct administrative accounts local to the BESX system.

When used with BlackBerrys running 5.x versions of the mobile operating system, BESX can also parse connections to protected file shares, allowing users to remotely access their data while on the road without needing a separate VPN. BESX also provides a much more usable interaction with Exchange than would otherwise be possible when provisioned for BIS through the mobile operator-wirelessly synchronizing Outlook and Exchange contact and calendar data in addition to e-mail. Plus, 5.0 OS clients can also manipulate Exchange folder structures from the device.

In tests, security features such as device lock, password reset and remote wipe worked as expected, with the events triggering correctly on powered-on, network-connected devices within a minute after the command was issued from within BAS.


Rocket Fuel